<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I'm a little confused. Are you implying that the Domain Auth Document, alone of the methods listed in 11.1.1, would allow re-use for up to 39 months as per 11.3 in this case? I'm not sure I understand the reasoning there. In case it wasn't completely clear, the trouble we see is specifically the wording in 11.1.1 that says "...as of the date the Certificate was issued..." Your suggestion that a Domain Auth Letter would solve the problem leads me to the conclusion that you agree with my original interpretation that 11.3 DOES apply to 11.1.1 just it it applies to everything else in 11.1, "...as of the date the Certificate was issued..." notwithstanding. If it can be applied to one option in 11.1.1 then it can be applied to all, and we can close this discussion and move on. If the consensus is that "...as of the date the Certificate was issued..." in 11.1.1 does not necessarily apply to EVERY certificate issued to an Enterprise RA, then the problem is solved. We had some disagreement internally over this and came to the conclusion that the language is unclear, so I started this discussion.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>All I'm trying to accomplish is to allow an Enterprise RA client, once domain control of example.com is established, to allow that to carry forward for some specified amount of time so that they don't have to re-verify domain control for every subsequent request for a certificate for sub-domains of example.com.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Given that we have already specified max validity of collected data at 39 months in Section 11.3, I would prefer to stick with that and simply clarify the wording. I believe that was the intent when all this was originally written, but that it wasn't put down in clear language. I can point to bits of language in various sections that support that conclusion.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> If the consensus is that 39 months is too long of a max validity for this particular bit of data, fine, give me a max validity that you are comfortable with.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rich<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:sleevi@google.com] <br><b>Sent:</b> Tuesday, January 21, 2014 6:54 PM<br><b>To:</b> Rich Smith<br><b>Cc:</b> Jeremy Rowley; CABFPub<br><b>Subject:</b> Re: [cabfpub] BR Enterprise RAs<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Rich,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I don't think the EVGs necessarily represent a desirable model in this regard.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>What I'm having trouble understanding is why, when dealing with an Enterprise RA, you cannot use a Domain Authorization Document? Paragraph 2 of 11.1.1 (regarding Domain Authorization Documents), namely point (ii), seems like it would be sufficient to cover this case.<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Jan 20, 2014 at 5:58 AM, Rich Smith <<a href="mailto:richard.smith@comodo.com" target="_blank">richard.smith@comodo.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Responses inline below.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rich</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [<a href="mailto:sleevi@google.com" target="_blank">mailto:sleevi@google.com</a>] <br><b>Sent:</b> Friday, January 17, 2014 3:27 PM</span><o:p></o:p></p><div><p class=MsoNormal><br><b>To:</b> Rich Smith<br><b>Cc:</b> Jeremy Rowley; CABFPub<br><b>Subject:</b> Re: [cabfpub] BR Enterprise RAs<o:p></o:p></p></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi Rich,<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>While I agree with the conclusion reached by Rob, I'm a little confused how changing the definition of 14.2.4 accomplishes the desired result.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>That is, you removed the reference to 7.1.2 (although I'm uncertain why there reference is only to para 1, and not 7.1.2 in its entirety), but Section 11.1.1 would/should still apply.<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] That was an oversite. I'm happy to add it back in.</span></i></b><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Have I missed something with your proposed change? Is the belief that the Enterprise RA can perform the authorization checks from 11.1 on behalf of the CA with the new wording?<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] Regarding issuing certificates w/in the verified Domain Namespace, yes.</span></i></b><o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The potential problem I see here is that it would seem to open the following loophole:<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- CA verifies Enterprise RA is authorized for foo.example (eg: via DNS) with a 5 year registration at Time X<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- At time X+59 months, Enterprise RA directs CA to issue a certificate for <a href="http://www.foo.example" target="_blank">www.foo.example</a>, with a 60 month validity (per 9.4.1)<o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>- Effective certificate lifetime is 119 months<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] It would actually be X+39 months with a 39 month validity by the time it matters for a total of 78 months, but I take your point. I would be happy to insert a lower time limit if that would alleviate this concern, but I think requiring the CA to re-verify domain control on EVERY request when we are talking about an Enterprise customer with whom the CA has an ongoing contractual relationship seems excessive and the EV Guidelines currently allow for X+27 for a possible total validity of 52 months. I don't think the intent was ever to make the BRs more restrictive on Enterprise clients than the EV Guidelines are.</span></i></b><o:p></o:p></p></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I see Section 11.1.1 and Section 14.2.4 as trying to 'defend' against this. Of course, they may be doing so poorly (by not checking the authorization duration for the domain), but at least that strikes at the intent.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I do agree that we should try to bring the EVGs and BRs into alignment (to the degree appropriate), by permitting Enterprise RAs to perform acts on behalf of the CA, provided that all FQDNs fall within the scope of the RA's verified Domain Namespace.<o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><i><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[RWS] That's what I'm shooting for here. We seem to be in rough agreement, except possibly in terms of total max validity of the original domain verification. Do you have a suggestion for a limitation that would still largely allow an Enterprise RA to obtain most certs in their verified Domain Namespace w/out excessive delays on the CA side?</span></i></b><o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Fri, Jan 17, 2014 at 12:06 PM, Rich Smith <<a href="mailto:richard.smith@comodo.com" target="_blank">richard.smith@comodo.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ryan,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>As the result of an internal discussion regarding Enterprise RA domain control verification we have determined that the current wording of the BRs requires the CA to verify domain control on each and every certificate request by the enterprise. My initial opinion was that Section 11.3 would allow an Enterprise to obtain certificates in their verified Domain Namespace for up to 39 months, however Rob pointed out that Section 11.1.1 says:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> "the CA SHALL confirm that, _as of the date the Certificate was</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> issued_, the Applicant either is the Domain Name Registrant or has</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> control over the FQDN".</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rob's opinion is that "as of the date the Certificate was issued" has to mean something, and to interpret Section 11.3's "39 months" as overriding Section 11.1.1 would render it meaningless.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I consider his reasoning sound, but I don't think that was the intent, especially as it would make the BRs more strict in this regard than the EV Guidelines, so that is what this motion is intended to address. If everyone else is of the opinion that 11.3 is sufficient (and I do think that quite a few CAs are operating under that assumption) then we can leave it alone and move on, but I think the current wording in various sections leaves the issue open to interpretation.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rich</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ryan Sleevi [mailto:<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>] <br><b>Sent:</b> Friday, January 17, 2014 2:33 PM<br><b>To:</b> Rich Smith<br><b>Cc:</b> Jeremy Rowley; CABFPub</span><o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><b>Subject:</b> Re: [cabfpub] BR Enterprise RAs<o:p></o:p></p></div></div></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Rich,<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Your original proposal didn't quite indicate the problem that you're trying to solve - or at least, the problem as you see it, and instead only presented the solution.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Is the issue something to do with the applicable namespace? Is it trying to designate additional entities as Enterprise RAs? <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>That is, I see a lot of problems with the proposal as written, and rather than trying to dissect them all, I'd like to try and understand what your end-goal is, to see how we can move there.<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Cheers,<o:p></o:p></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Ryan<o:p></o:p></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'> <o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Fri, Jan 17, 2014 at 11:30 AM, Rich Smith <<a href="mailto:richard.smith@comodo.com" target="_blank">richard.smith@comodo.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>How about editing both to:</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>The CA MAY contractually authorize the Subject of a specified Valid Certificate to perform the RA function and authorize the CA to issue additional Certificates at ***the same or higher*** domain levels that are contained within the ***verified Domain Namespace*** of the original Certificate (also known as an Enterprise Certificate). In such case, the Subject SHALL be considered an Enterprise RA, and the following requirements SHALL apply:<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>***<span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> indicates where I made the changes.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rich</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jeremy Rowley [mailto:<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>] <br><b>Sent:</b> Friday, January 17, 2014 12:58 PM<br><b>To:</b> 'Ryan Sleevi'; 'Rich Smith'<br><b>Cc:</b> 'CABFPub'<br><b>Subject:</b> RE: [cabfpub] BR Enterprise RAs</span><o:p></o:p></p></div></div><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Because the language comes straight from the EV Guidelines. Maybe we should update both at the same time?</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Friday, January 17, 2014 10:26 AM<br><b>To:</b> Rich Smith<br><b>Cc:</b> CABFPub<br><b>Subject:</b> Re: [cabfpub] BR Enterprise RAs</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p>Third or higher is insufficient for most ccTLDs (<a href="http://example.co.uk" target="_blank">example.co.uk</a>) or overly broad for gTLDs (foo.example).<o:p></o:p></p><p>Is there a reason you didn't simply refer to the registered domain name (and any preceding labels)?<o:p></o:p></p><p>That also covers the <a href="http://school.k12.wv.us" target="_blank">school.k12.wv.us</a> type registrations as well.<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Jan 17, 2014 9:19 AM, "Rich Smith" <<a href="mailto:richard.smith@comodo.com" target="_blank">richard.smith@comodo.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Colleagues,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>In reviewing internal practices and BR compliance, we have discovered that the BRs seem to have a more restricted definition of what an Enterprise RA is allowed than the EV Guidelines. I think this is due simply to the wording of the BRs rather than specific intent. Because of that, I would like to propose the following amendment to the BRs. Please review and let me know if you are willing to endorse.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>----Motion Begins----<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Replace:<o:p></o:p></p><p>14.2.4 Enterprise RAs<o:p></o:p></p><p>The CA MAY designate an Enterprise RA to verify certificate requests from the Enterprise RA’s own organization.<o:p></o:p></p><p>The CA SHALL NOT accept certificate requests authorized by an Enterprise RA unless the following requirements are satisfied:<o:p></o:p></p><p>1. The CA SHALL confirm that the requested Fully-Qualified Domain Name(s) are within the Enterprise RA’s verified Domain Namespace (see Section 7.1.2 para 1).<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>With the following:<o:p></o:p></p><p>14.2.4 Enterprise RAs<o:p></o:p></p><p>The CA MAY contractually authorize the Subject of a specified Valid Certificate to perform the RA function and authorize the CA to issue additional Certificates at third and higher domain levels that are contained within the domain of the original Certificate (also known as an Enterprise Certificate). In such case, the Subject SHALL be considered an Enterprise RA, and the following requirements SHALL apply:<o:p></o:p></p><p>(1) An Enterprise RA SHALL NOT authorize the CA to issue an Enterprise Certificate at the third or higher domain levels to any Subject other than the Enterprise RA or a business that is owned or directly controlled by the Enterprise RA;<o:p></o:p></p><p>(2) In all cases, IF the Enterprise Certificate is to contain Organization details, the Subject of an Enterprise Certificate MUST be an organization verified by the CA in accordance with these Requirements; <o:p></o:p></p><p>(3) The CA MUST impose these limitations as a contractual requirement with the Enterprise RA and monitor compliance by the Enterprise RA; and,<o:p></o:p></p><p>(4) The audit requirements of Section 17.1 of these Requirements SHALL apply to the Enterprise RA, except in the case where the CA maintains control over the Root CA Private Key or Subordinate CA Private Key used to issue the Enterprise Certificates, in which case, the Enterprise RA MAY be exempted from the audit requirements. In the case that the Enterprise RA is granted a Technically Constrained Subordinate CA Key, Section 17.9 of these audit requirements shall apply to the Enterprise RA.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>-- </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Regards,</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Rich Smith</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Validation Manager</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'>Comodo</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:navy'><a href="http://www.comodo.com/" target="_blank">http://www.comodo.com</a></span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p></div></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></body></html>